[southerntofu]

Not exactly ruined, but it introduces a lot of problems. First, because it's a very WEAK privacy protection regulation, where explicit concern is only one of the six criteria you can use to legally collect personal information.

Second, because some of those other criteria are absurd: legitimate interest, really? What does that even mean? And let's not even get started on legal requests for interception of personal data.

Third, because it gives people a false sense of security while pretending their privacy is being respected. But GDPR is in fact much weaker than some previous privacy regulations, including French "Informatique et Libertés" law from 1978. GDPR is a huge regression for privacy online: a huge regression because most privacy invasion that was illegal in French law (and others) is now perfectly legal, and because in terms of UX we now have "consent" popups everywhere, destroying the very concept of consent* and forcing everyone and anyone to use JavaScript to use websites (JavaScript being the enemy of security and privacy on the web).

EDIT: Why do you think those regulations passed without even strong debate/opposition? In the rare case regulators want to make a good consumer protection regulation, there is systematically strong opposition from the lobbies, and the law is usually taken down or rendered meaningless. The "rendered meaningless" part didn't even have to take place with GDPR because the law was insignificant to begin with.

* Explicit user consent is slowly starting to be interpreted as in sexual consent, i.e. you can refuse without negative consequences. But even that basic interpretation is taken time to become unanimous.